Chapter 3. Linux Operating System, https://nebul4ck.wordpress…
Chapter 3. Linux Operating System
Operating systems & kernels
The kernel is a part of the OS, it is basically a bridge between software and hardware of the system.
released the first
kernel in 1991 under the open source model.
Currently many people use the word Linux to talk about an specific OS, but technically it is just the kernel.
An Operating System is a software which contains different programs in it, and the Kernel is one of them.
I general terms, the OS has the function of the kernel and also provides a interface between the computer and the user
. It requires very
little hardware resources
to run, and is
: anyone can get the kernel’s
, inspect it, modify it, and re-compile, also allowed to
the program with or without charges.
are packages that includes the Linux kernel with customized tools and software packages. Debian, Red Hat, Ubuntu, CentOS, and SUSE are just a few examples of Linux distributions.
Value of Linux
: allows analysts and administrators to tailor-build an operating system specifically for security analysis.
: The Linux Command Line Interface (CLI) is extremely powerful and enables analysts to perform tasks not only directly on a terminal, but also remotely because the CLI requires very few resources.
More control over the OS
: The administrator user in Linux, known as the
, or superuser, has
power over the computer.
Better network communication control
: Because the OS can be tweaked and adjusted in practically every aspect, it is a great platform for creating network applications. This is the same reason why many great network-based software tools are available for Linux only.
Linux in the SOC
The entire operating system can be tailored to become the perfect security analysis platform.
These are a few tools that are often found in a SOC:
Network packet capture software
– This software is used for network packet captures.
is a popular packet capture tool.
is another packet
but is used in the CLI.
Malware analysis tools
- In the case of new malware detection, these tools allow analysts to safely run and observe malware execution without the risk of compromising the underlying system.
Intrusion detection systems (IDSs)
- These tools are used for real-time traffic monitoring and inspection. If any aspect of the currently flowing traffic matches any of the established rules, a pre-defined action is taken.
– This software is used to specify, based on pre-defined rules, whether traffic is allowed to enter or leave the network.
Log managers -
Log files are used to record events. Because a large network can generate a very large number of events log entries, log managers are employed to facilitate log monitoring.
Security information and event management (SIEM)
– SIEMs provide real-time analysis of alerts and log entries generated by network appliances such as IDSs and firewalls.
- Ticket assignment, editing, and recording is done through a ticket management system.
Linux computers used in the SOC often contain penetration testing (
) tools, a penetration test is the process of looking for vulnerabilities in a network or computer by attacking it. Packet generators, port scanners, and proof-of-concept exploits are examples of PenTesting tools.
is a Linux distribution created to group many penetration tools.
Working in the linux shell
The Linux Shell
In Linux, the user communicates with the OS by using the CLI or the GUI. Linux often boots into the GUI by default, hiding the CLI from the user.
One way to access the CLI from the GUI is through a terminal emulator application. These applications provide user access to the CLI and are often named as some variation of the word "terminal". In Linux, popular terminal emulators are Terminator, eterm, xterm, konsole, and gnome-terminal.
to experience the Linux CLI in your web browser
Linux commands are programs created to perform a specific task. Use the
command (short for manual) to obtain documentation about commands. As an example, man ls
The shell will look for user-typed commands in specific directories and attempt to execute them. The list of directories checked by the shell is called the path
changes the ownership of a file
copies data from an imput to an output
displays the name of the current directory
list the process currently running in the system
simulates a login as another user or to become a superuser
runs command as another user
display the files inside a directory
changes the current directory
creates a directory under the current derectory
copies files from source to destination
searches for specific strings of characters within a file or other commands outputs
modifies file permissions
move or renames files and directories
display or configure network card related information. if used without parameters it will display the current network card(s) configuration
used to install, configure and remove packages on Debian and its derivatives. It is a user-friendly line front-end for
, Debian's package manager.
used to display or configure wireless network card related information.. It will display wireless information when issued without parameters
shuts down the system. It can be instructed to perform a number of shut down related tasks, including restart, halt, put to sleep or kick out all currently connected users.
used to change the password. if no parameters are provided, it changes the password for the current user.
concatenates files and send the result to the standard output
man: used to display the information for a specific command
change file timestamps. A FILE argument that does not exist is created empty
Working with text files
Linux has many different text editors, with various features and functions.
, a popular command-line text editor. Due to the lack of graphical support, nano (or GNU nano) can only be controlled with the keyboard. For example, CTRL+O saves the current file and CTRL+X to exit the editor
is a highly configurable text editor built to make creating and changing any kind of text very efficient. It is included as "vi" with most UNIX systems and with Apple OS X.
The Importance of Text Files in Linux
In Linux, everything is treated as a file
Files includes the memory, the disks, the monitor, the files, and the directories.
The computer itself is configured through files. Known as configuration files, they are usually text files used to store adjustments and settings for specific applications or services.
Example: An administrator can use the command
sudo nano /etc/hosts
to open the file. The command
(short for “superuser do”) invokes the superuser privilege to use the nano text editor to open the host file.
The "hosts" file is used to map host names to IP addresses. With the hosts file you can change the IP to which a certain domain name resolves.
This is particularly useful when you want to see how a website will work on a different server without having to wait for the DNS change to propagate or avoid any DNS change entirely.
: create a docker container that and then try to change localhost to a different word in the / etc / hosts file and then access the container using the new name (e.g. use a httpd image), finally revert the changes and remove the container
Lab – Working with Text Files in the CLI
The Cisco CyberOpsVMonly includes
as graphical text editor application.
Lab – Getting Familiar with the Linux Shell
In this lab, you will use the Linux command line to manage files and folders and perform some basic administrative tasks.
Linux Servers and clients
Servers are computers with software installed that enables them to provide services to clients
Clients are computer with software installed that enables them to request services to servers
Ports are numbers used to specified a service, e.g. port 443 is for HTTPS
1-1023 well-known ports
: used by system processes that provide widely used types of network services.
20 & 21 : File Transfer Protocol (FTP)
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name System (DNS) service
80 Hypertext Transfer Protocol (HTTP)
110 Post Office Protocol (POP3)
143 Internet Message Access Protocol (IMAP)
443 HTTP Secure (HTTPS)
161 & 162 Simple Network Management Protocol (SNMP)
22 Secure shell (SSH)
123 Network Time Protocol (NTP)
1024-49151 registered ports
: They are assigned by IANA for specific service upon application by a requesting entity. On most systems, registered ports can be used by ordinary users.
1234 VLC, 1220 Qicktime Server Admin, 1935 RTMP, 2948, 2949 MMS,
, 5004, 5005 RTP, 5060, 5061 SIP, 5269 XMPP, 5500, 5800, 5900 VNC, 8008 HTTP Alternate, 25565 MySQL,
49152-65535 dynamic/ephemeral/private ports
: available for use by any application to use in communicating with any other application
Lab –Linux Servers
In this lab, you will use the Linux command line to identify servers running on a given computer
Many programs run in the background so users may not immediately detect what programs are running on a given computer.In Linux, running programs are also called
display running processes
sudo ps -elf
-e Select all processes. Identical to -A
-l Long format
-f Do full-format listing
netstat program is obsolete and its replacement is ss
Basic Server Administration
Service configuration files
Monitoring service logs
In Linux, log files can be categorized as: Application logs, Event logs, Service logs, System logs
Popular Linux log files and their functions:
– This directory contains generic computer activity logs. It is mainly used to store informational and non-critical system messages. In Debian-based computers,
directory serves the same purpose.
- This file stores all authentication-related events in Debian and Ubuntu computers. Anything involving the user authorization mechanism can be found in this file.
- This directory is used by RedHat and CentOS computers instead of /var/log/auth.log. It also tracks sudo logins, SSH logins, and other errors logged by SSSD.
- This file stores boot-related information and messages logged during the computer startup process.
- This directory contains kernel ring buffer messages. Information related to hardware devices and their drivers is recorded here. It is very important because, due to their low-level nature, logging systems such as syslog are not running when these events take place and therefore, are often unavailable to the administrator in real-time.
- This file contains information logged by the kernel.
- Cron is a service used to schedule automated tasks in Linux and this directory stores its events. Whenever a scheduled task (also called a cron job) runs, all its relevant information including execution status and error messages are stored here.
This is the MySQL log file. All debug, failure and success messages related to the mysqld process and mysqld_safe daemon are logged here. RedHat, CentOS and Fedora stores MySQL logs under /var/log/mysqld.log, while Debian and Ubuntu maintain the log in /var/log/mysql.log file.